Switch off cargo audit#6009
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #6009 +/- ##
=======================================
Coverage 83.11% 83.11%
=======================================
Files 277 277
Lines 30207 30207
=======================================
Hits 25106 25106
Misses 5101 5101
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
4f3ab6f to
04aa60a
Compare
`cargo-audit` goes through all crates in the Cargo.lock which includes crate which are pulled as transitive dependencies of some crates but not used in any of our binaries. Switching to `crago-deny` fixes this since it only checks crates which are a part of our dependencies tree for our binaries. Similar to `cargo-audit`, we need to install `cargo-deny` each time to avoid a possibility of it breaking if advisory database suddenly updates the format it uses. But for the sake of speed, we now install with `--debug` flag to install debug binary (install in this case means "compile"). This saves time and does not affect the result. `cargo-audit` is also used in the license check test, but that test is fine using the potentially older version of the tool from the devctr. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
All ignores are not applicable anymore: - `gdbstub` - resolved upstream daniel5151/gdbstub#168 - `rand` - moved to deny.toml - `anyhow` - is not directly used by our crates and `cargo-deny` correctly ignores it Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
The `gdbstub` relies on the `managed` crate which is OBSD. This license is compatible with MIT, so allow list it. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
be7d742 to
acc3b0f
Compare
| ) | ||
| return findings | ||
|
|
||
| utils.run_cmd("cargo install --locked cargo-deny --debug") |
There was a problem hiding this comment.
Why is this not installed on the dev container?
There was a problem hiding this comment.
we had an issue in the past when the rustsec updated the format they use for reports, but the older version of cargo-audit we had in a container was too old and could not parse the new format. So instead we decided to just install the tool on each run.
There was a problem hiding this comment.
Would the same concern apply to cargo deny?
There was a problem hiding this comment.
PS: I see test_dependency_licenses is already calling cargo deny without re-installing it.
Also, since we use --locked here, I guess it won't even install new versions if available
There was a problem hiding this comment.
The install step will install a newer version over the old one. The test_dependency_licenses should be fine using the version from devctr.
Changes
Replace
crago-auditwithcrago-denyfor the advisory checks. This allows us to skip unnecessary notifications about crates we don't use, but which are pulled as dependencies from optional features of other crates.Also remove
.cargo/audit.tomlsince both ignores are not applicable anymore.License Acceptance
By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.PR Checklist
tools/devtool checkbuild --allto verify that the PR passesbuild checks on all supported architectures.
tools/devtool checkstyleto verify that the PR passes theautomated style checks.
how they are solving the problem in a clear and encompassing way.
in the PR.
CHANGELOG.md.Runbook for Firecracker API changes.
integration tests.
TODO.rust-vmm.